Microsoft Pulls Windows 2000 Server Patch

Microsoft has withdrawn a security patch issued for Windows 2000 Server as part of its Patch Tuesday update, because it fails to properly fix a critical vulnerability.

The company issued MS10-025 earlier this month as part of an 11-bulletin security update for customers. The bulletin was supposed to fix an issue affecting customers running Windows 2000 Server Service Pack 4 who installed Windows Media Services, a Microsoft platform for streaming live or on-demand audio and video.

According to Microsoft, a remote code execution vulnerability exists due to the way Windows Media Unicast Service handles specially-crafted transport information packets. So far, Microsoft has not observed any attacks on the vulnerability, and Windows Media Services is not enabled by default on Windows 2000 Server.

“Customers should review the bulletin for mitigations and workarounds and those with Internet-facing systems with Windows Media Services installed should evaluate and use firewall best practices to limit their overall exposure,” blogged Jerry Bryant, group manager for Microsoft Security Response Center communications. “We will continue to share updates here on the blog as available.”

As a workaround, users can disable the Windows Media Unicast Service or uninstall Windows Media Services. Instructions on how to do that are contained here within the advisory.